Set Up Communication between Junos OS Enforcer and IC Series UAC Appliance
In a Unified Access Control (UAC) network, an SRX Series Firewall is called as Junos OS Enforcer when it is deployed in the UAC environment. The SRX Series Firewall verifies the certificate which IC Series appliance submits. The SRX Series Firewall and IC Series appliance perform mutual authentication. After authentication, the IC Series appliance sends user and resource access policy information to the SRX Series Firewall to act as the Junos OS Enforcer.
Understanding Communications Between the Junos OS Enforcer and the IC Series UAC Appliance
When you configure an SRX Series Firewall to connect to an IC Series UAC Appliance, the SRX Series Firewall and the IC Series appliance establish secure communications as follows:
-
If more than one IC Series device are configured as Infranet Controllers on the SRX Series Firewall, a round-robin algorithm determines which of the configured IC Series devices is the active Infranet Controller. The others are failover devices. If the active Infranet Controller becomes inoperative, the algorithm is reapplied to the remaining IC Series devices that are configured to establish the new active Infranet Controller.
-
The active IC Series appliance presents its server certificate to the SRX Series Firewall. If configured to do so, the SRX Series Firewall verifies the certificate. (Server certificate verification is not required; however, as an extra security measure you can verify the certificate to implement an additional layer of trust.)
-
The SRX Series Firewall and the IC Series appliance perform mutual authentication using the proprietary challenge-response authentication. For security reasons, the password is not included in the message sent to the IC Series appliance.
-
After successfully authenticating with the SRX Series Firewall, the IC Series appliance sends its user authentication and resource access policy information. The SRX Series Firewall uses this information to act as the Junos OS Enforcer in the UAC network.
Thereafter, the IC Series appliance and the Junos OS Enforcer can communicate freely with one another over the SSL connection. The communications are controlled by a proprietary protocol called Junos UAC Enforcer Protocol (JUEP).
Understanding Communications Between Junos OS Enforcer and a Cluster of IC Series UAC Appliances
You can configure a Junos OS Enforcer to work with more than one IC Series UAC Appliance in a high availability configuration known as an IC Series appliance cluster. The Junos OS Enforcer communicates with only one IC Series appliance at a time; the other IC Series appliances are used for failover. If the Junos OS Enforcer cannot connect to the first IC Series appliance you added to a cluster, it tries to connect to the failed IC Series appliance again. Then it fails over to the other IC Series appliances in the cluster. It continues trying to connect to IC Series appliances in the cluster until a connection occurs.
When the Junos OS Enforcer cannot establish a connection to an Infranet Enforcer, it preserves all its existing authentication table entries and Unified Access Control (UAC) policies and takes the timeout action that you specify. Timeout actions include:
close—Close existing sessions and block any further traffic. This is the default option.no-change—Preserve existing sessions and require authentication for new sessions.open—Preserve existing sessions and allow new sessions access.
Once the Junos OS Enforcer can reestablish a connection to an IC Series appliance, the IC Series appliance compares the authentication table entries and UAC policies stored on the Junos OS Enforcer with the authentication table entries and policies stored on the IC Series appliance and reconciles the two as required.
The IC Series appliances configured on a Junos OS Enforcer should all be members of the same IC Series appliance cluster.
Configuring Communications Between the Junos OS Enforcer and the IC Series UAC Appliance (CLI Procedure)
Before you begin:
Enable UAC through the relevant Junos OS security policies. See Enabling UAC in a Junos OS Environment (CLI Procedure).
-
(Optional) Create a profile for the certificate authority (CA) that signed the IC Series appliance’s server certificate, and import the CA certificate onto the SRX Series Firewall. See Example: Loading CA and Local Certificates Manually.
Configure user authentication and authorization by setting up user roles, authentication and authorization servers, and authentication realms on the IC Series appliance.
Configure resource access policies on the IC Series appliance to specify which endpoints are allowed or denied access to protected resources.
To configure an SRX Series Firewall to act as a Junos OS Enforcer in a UAC deployment, and therefore to enforce IC Series UAC Appliance policies, you must specify an IC Series appliance to which the SRX Series Firewall should connect.
To configure an SRX Series Firewall to act as a Junos OS Enforcer:
-
Specify the IC Series appliance(s) to which the SRX Series Firewall should connect.
-
To specify the IC Series appliance hostname:
user@host# set services unified-access-control infranet-controller hostname
-
To specify the IC Series appliance IP address:
user@host# set services unified-access-control infranet-controller hostname address ip-address
Note:When configuring access to multiple IC Series appliances, you must define each separately. For example:
user@host# set services unified-access-control infranet-controller IC1 user@host# set services unified-access-control infranet-controller IC2 user@host# set services unified-access-control infranet-controller IC3
user@host# set services unified-access-control infranet-controller IC1 address 10.10.10.1 user@host# set services unified-access-control infranet-controller IC2 address 10.10.10.2 user@host# set services unified-access-control infranet-controller IC3 address 10.10.10.3
Make sure that all of the IC Series appliances are members of the same cluster.
Note:By default, the IC Series appliance should select port 11123.
-
Specify the Junos OS interface to which the IC Series appliance should connect:
user@host# set services unified-access-control infranet-controller hostname interface interface-name
-
Specify the password that the SRX Series Firewall should use to initiate secure communications with the IC Series appliance:
Note:Any change in the Unified Access Control’s (UAC) contact interval and timeout values in the SRX Series Firewall will be effective only after the next reconnection of the SRX Series Firewall with the IC Series appliance.
user@host# set services unified-access-control infranet-controller hostname password password
-
(Optional) Specify information about the IC Series appliance’s server certificate that the SRX Series Firewall needs to verify the certificate.
-
To specify the server certificate subject that the SRX Series Firewall checks:
user@host# set services unified-access-control infranet-controller hostname server-certificate-subject certificate-name
-
To specify the CA profile associated with the certificate:
user@host# set services unified-access-control infranet-controller hostname ca-profile ca-profile
-
An IC Series appliance server certificate can be issued by an intermediate CA. There are two types of CAs—root CAs and intermediate CAs. An intermediate CA is secondary to a root CA and issues certificates to other CAs in the public key infrastructure (PKI) hierarchy. Therefore, if a certificate is issued by an intermediate CA, you need to specify the complete list of CA profiles in the certification chain.
Understanding Junos OS Enforcer Implementations Using IPsec
To configure an SRX Series Firewall to act as a Junos OS Enforcer using IPsec, you must:
Include the identity configured under the security IKE gateway. The identity is a string such as “gateway1.mycompany.com”, where gateway1.mycompany.com distinguishes between IKE gateways. (The identities specify which tunnel traffic is intended.)
Include the preshared seed. This generates the preshared key from the full identity of the remote user for Phase 1 credentials.
Include the RADIUS shared secret. This allows the IC Series UAC Appliance to accept RADIUS packets for extended authentication (XAuth) from the Junos OS Infranet Enforcer.
When configuring IPsec between the IC Series appliance, the Odyssey Access Client, and the SRX Series Firewall, you should note that the following are IKE (or Phase 1) proposal methods or protocol configurations that are supported from the IC Series appliance to the Odyssey Access Client:
IKE proposal:
authentication-method pre-shared-keys(you must specifypre-shared-keys)IKE policy:
mode aggressive(you must use aggressive mode)pre-shared-key ascii-text key(only ASCII text preshared-keys are supported)
IKE gateway: dynamic
hostname identity(you must specify a unique identity among gateways)ike-user-type group-ike-id(you must specifygroup-ike-id)xauth access-profile profile(you must specifyxauth)
The following are IPsec (or Phase 2) proposal methods or protocol configurations that are supported from the IC Series appliance to the Odyssey Access Client.
IPsec proposal:
protocol esp(you must specifyesp)IPsec VPN:
establish-tunnels immediately(you must specifyestablish-tunnels immediately)
Only one IPsec VPN tunnel is supported per from-zone to to-zone security policy. This is a limitation on the IC Series appliance.
Junos OS security policies enable you to define multiple policies differentiated by different source addresses, destination addresses, or both. The IC Series appliance, however, cannot differentiate such configurations. If you enable multiple policies in this manner, the IC Series appliance could potentially identify the incorrect IKE gateway.
Example: Configuring the Device as a Junos OS Enforcer Using IPsec (CLI)
To configure an SRX Series Firewall to act as a Junos OS Enforcer using IPsec:
Set system and syslog information using the following configuration statements:
system { host-name test_host; domain-name test.mycompany.com; host-name test_host; root-authentication { encrypted-password "$ABC123"; } services { ftp; ssh; telnet; web-management { http { interface ge-0/0/0.0; } } } syslog { user * { any emergency; } file messages { any critical; authorization info; } file interactive-commands { interactive-commands error; } } max-configurations-on-flash 5; max-configuration-rollbacks 5; license { autoupdate { url https://ae1.mycompany.com/junos/key_retrieval; } } ntp { boot-server 1.2.3.4; server 1.2.3.4; } }Note:On SRX Series Firewalls, the factory default for the maximum number of backup configurations allowed is five. Therefore, you can have one active configuration and a maximum of five rollback configurations. Increasing this backup configuration number will result in increased memory usage on disk and increased commit time.
To modify the factory defaults, use the following commands:
root@host# set system max-configurations-on-flash number root@host# set system max-configuration-rollbacks number
where max-configurations-on-flash indicates backup configurations to be stored in the configuration partition and max-configuration-rollbacks indicates the maximum number of backup configurations.
Configure the interfaces using the following configuration statements:
interfaces { ge-0/0/0 { unit 0 { family inet { address 10.64.75.135/16; } } } ge-0/0/1 { unit 0 { family inet { address 10.100.54.1/16; } } } ge-0/0/2 { unit 0 { family inet { 10.101.54.1/16; } } }Configure routing options using the following configuration statements:
routing-options { static { route 0.0.0.0/0 next-hop 10.64.0.1; route 10.11.0.0/16 next-hop 10.64.0.1; route 172.0.0.0/8 next-hop 10.64.0.1; route 10.64.0.0/16 next-hop 10.64.0.1; } }Configure security options using the following configuration statements:
security { ike { traceoptions { file ike; flag all; } proposal prop1 { authentication-method pre-shared-keys; dh-group group2; authentication-algorithm sha1; encryption-algorithm 3des-cbc; } policy pol1 { mode aggressive; proposals prop1; pre-shared-key ascii-text "$ABC123"; } gateway gateway1 { ike-policy pol1; dynamic { hostname gateway1.mycompany.com; connections-limit 1000; ike-user-type group-ike-id; } external-interface ge-0/0/0; xauth access-profile infranet; } gateway gateway2 { ike-policy pol1; dynamic { hostname gateway2.mycompany.com; connections-limit 1000; ike-user-type group-ike-id; } external-interface ge-0/0/0; xauth access-profile infranet; } }Configure IPsec parameters using the following configuration statements:
ipsec { proposal prop1 { protocol esp; authentication-algorithm hmac-sha1-96; encryption-algorithm 3des-cbc; lifetime-seconds 86400; } policy pol1 { proposals prop1; } vpn vpn1 { ike { gateway gateway1; ipsec-policy pol1; } } vpn vpn2 { ike { gateway gateway2; ipsec-policy pol1; } } }Configure screen options using the following configuration statements:
screen { ids-option untrust-screen { icmp { ping-death; } ip { source-route-option; tear-drop; } tcp { syn-flood { alarm-threshold 1024; attack-threshold 200; source-threshold 1024; destination-threshold 2048; queue-size 2000; timeout 20; } land; } } }Configure zones using the following configuration statements:
zones { security-zone trust { tcp-rst; host-inbound-traffic { system-services { all; } protocols { all; } } interfaces { ge-0/0/0.0; } } security-zone untrust { host-inbound-traffic { system-services { all; } protocols { all; } } interfaces { ge-0/0/1.0; } } security-zone zone101 { host-inbound-traffic { system-services { all; } protocols { all; } } interfaces { ge-0/0/2.0; } } }Configure policies for UAC using the following configuration statements:
policies { from-zone trust to-zone trust { policy default-permit { match { source-address any; destination-address any; application any; } then { permit; } } } from-zone trust to-zone untrust { policy default-permit { match { source-address any; destination-address any; application any; } then { permit; } } policy default-deny { match { source-address any; destination-address any; application any; } then { permit; } } policy pol1 { match { source-address any; destination-address any; application any; } then { permit { tunnel { ipsec-vpn vpn1; } application-services { uac-policy; } } log { session-init; session-close; } } } } from-zone untrust to-zone trust { policy pol1 { match { source-address any; destination-address any; application any; } then { permit; log { session-init; session-close; } } } } from-zone trust to-zone zone101 { policy pol1 { match { source-address any; destination-address any; application any; } then { permit { tunnel { ipsec-vpn vpn2; } application-services { uac-policy; } } log { session-init; session-close; } } } policy test { match { source-address any; destination-address any; application any; } then { permit; } } } default-policy { deny-all; } } }Configure RADIUS server authentication access using the following configuration statements:
access { profile infranet { authentication-order radius; radius-server { 10.64.160.120 secret "$ABC123"; } } }Configure services for UAC using the following configuration statements:
services { unified-access-control { infranet-controller IC27 { address 3.23.1.2; interface ge-0/0/0.0; password "$ABC123"; } infranet-controller prabaIC { address 10.64.160.120; interface ge-0/0/0.0; password "$ABC123"; } certificate-verification optional; traceoptions { flag all; } } }